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Abstract 

We  introduce  a  new  technique,  component-based,  garbled  circuits,  for  increasing  the  efficiency  of  secure 
two-party  computation  in  the  offline/online  semi- ho  nest  setting.  We  observe  that  real-world  functions 
are  generally  constructed  in  a  modular  way,  comprising  many  standard  components  such  as  arithmetic 
operations  and  other  common  tasks.  Our  technique  allows  circuits  for  these  common  tasks  to  be  garbled 
and  shared  during  an  offline  phase;  once  the  function  to  compute  is  specified,  these  pre-shared  components 
can  be  chained  together  to  create  a  larger  garbled  circuit.  We  stress  that  we  do  not  assume  that  the 
function  is  known  during  the  offline  phase  —  only  that  it  uses  some  common,  predictable  components. 

We  give  an  implementation,  CompGC,  of  this  technique  and  measure  the  efficiency  gains  for  various 
examples.  We  find  that  our  technique  results  in  roughly  an  order  of  magnitude  performance  improvement 
over  standard  garbled  circuit-based  secure  two-party  computation. 


1  Introduction 


Secure  two-party  computation  allows  a  pair  of  parties,  each  with  private  input,  to  compute  a  function  of 
those  inputs  without  sharing  them  with  each  other.  This  is  an  extremely  powerful  tool,  and  it  was  shown 
by  Yao  to  be  feasible  using  an  approach  termed  garbled  circuits  |Yao86| .  Since  then,  a  long  line  of  work 
has  aimed  to  increase  the  efficiency  of  garbled  circuit-based  secure  computation.  This  paper  continues  that 
effort. 

In  particular,  our  goal  is  to  allow  the  use  of  offline  pre-processing  to  significantly  reduce  online  computa¬ 
tion  time  for  garbled  circuit-based  computation.  This  is  not  a  new  goal.  Beaver,  for  example,  showed  how 
precomputation  can  significantly  increase  the  online  speed  of  the  required  oblivious  transfers  (OTs)  |Bea95] . 
Others  have  found  similar  ways  to  increase  the  online  efficiency  of  the  cut-and-choose  technique  needed  for 
malicious  security  HKK+14l  ILR14I ILR15] .  There  is  also  a  long  history  of  precomputation  in  the  setting  of 
non-garbled  circuit-based  two-party  computation  [DPSZ121 INNOB12] . 

In  the  semi-honest  setting  in  which  all  of  our  constructions  work,  it  has  long  been  known  that  precom¬ 
putation  can  greatly  increase  efficiency  if  the  function  is  known  ahead  of  time ,  with  only  the  inputs  specified 
at  the  time  of  online  computation.  The  protocol  is  simple:  the  garbler  computes  the  entire  garbled  circuit 
ahead  of  time,  with  only  OT  computations  (which  can  also  be  preprocessed,  but  still  require  some  online 
communication),  communication  of  the  inputs,  and  evaluation  done  online.  However,  requiring  that  the 
function  be  known  ahead  of  time  is  a  substantial  limitation. 

In  this  work,  we  show  a  way  to  achieve  a  similar  benefit  without  prior  knowledge  of  what  circuit  will  be 
computed.  Towards  this  goal,  we  note  that  most  functions  of  interest  are  built  in  a  modular  way.  Just  as 
one  would  use  functions  in  a  programming  language,  the  circuits  for  these  functions  use  components  that 
perform  common  tasks.  There  might  be  a  portion  of  the  circuit  that  takes  the  maximum  of  two  numbers, 
for  example,  or  that  computes  a  hash  function.  We  show  that  one  can  precompute  garbled  circuits  for  these 
smaller  components  and  then  chain  them  together  in  the  online  phase  when  the  function  to  be  computed 
is  specified.  We  call  this  component-based  garbled  circuit  construction.  We  show  cryptographic  protocols 
for  carrying  it  out,  and  we  provide  an  open-source  implementation,  CompGC,  that  achieves  large  efficiency 
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gains,  upwards  of  an  order  of  magnitude  improvement  in  online  computation  time,  versus  standard  garbled 
circuit-based  secure  two-party  computation. 

We  can  imagine  this  system  being  used  in  several  different  ways.  In  the  most  narrow  case,  parties  may 
know  roughly  what  sort  of  function  will  be  computed.  For  example,  they  might  be  unsure  only  of  the  input 
length.  In  this  case,  they  can  compute  a  narrow  set  of  components  specifically  tailored  to  that  function. 
This  incurs  slightly  greater  total  computation  cost  in  exchange  for  greatly  improved  online  speed. 

In  a  more  general  setting,  parties  might  engage  frequently  in  computation  of  a  given  general  type.  A 
library  of  common  operations  might  be  developed  for  that  particular  type  of  computation.  Cryptographic 
functions,  for  example,  commonly  rely  on  a  small  set  of  operations,  including  large  components  like  those  for 
computing  standard  hash  functions  and  blockciphers  and  smaller  components  for  simple  tasks  like  bitwise 
XOR  of  two  strings.  Geometric  computations,  on  the  other  hand,  might  require  a  large  number  of  matrix 
operations.  Other  libraries  could  be  developed  for  computations  in  machine  learning,  finance,  or  other 
general  areas,  or  specifically  tuned  to  the  needs  of  a  larger  application  of  which  the  secure  computation  was 
part. 

Finally,  in  the  most  general  setting,  parties  engaging  in  a  great  deal  of  computation  over  time  could  com¬ 
pute  an  enormous  library  with  a  huge  number  of  possible  component  types.  This  would  allow  extraordinarily 
fast  (online)  computation  of  a  wide  array  of  functions. 

We  note  that  in  the  last  two  use  cases  discussed  above,  substantial  storage  would  be  required.  There  would 
also  be  significant  setup  cost.  However,  components  in  our  scheme  that  are  not  used  for  one  computation 
can  be  saved  for  the  next.  That  means  that  the  component  library  that  the  parties  have  precomputed  can  be 
maintained  simply  by  replacing  used  components.  As  a  result,  the  amortized  total  cost  of  each  computation 
is  not  greatly  increased,  and  latency  is  drastically  reduced.  We  also  allow  load  balancing,  since  parties  can 
replace  used  components  whenever  computational  resources  are  available. 

1.1  Our  Contributions 

Our  contributions  go  well  beyond  pointing  out  the  ability  to  divide  a  circuit  into  pieces.  We  give  formal 
specifications  for  how  to  create  and  connect  components.  We  also  give  a  practical,  open-source  implementa¬ 
tion,  CompGC,  and  show  experimentally  that  our  method  allows  for  drastically  reduced  online  computation. 
Specifically,  we  make  the  following  contributions. 

Component-based  garbled  circuits.  We  give  a  protocol  for  precomputing  garbled  circuits  for  given  compo¬ 
nents,  and  for  combining  these  components  as  needed  at  runtime.  We  show  that  security  is  maintained  by 
this  protocol.  This  construction  allows  arbitrary  linkage  between  component  wires  while  requiring  online 
communication  of  only  one  label  per  component  input  wire.  We  note  that  this  technique  is  very  similar 
to  the  “partial  garbled  circuits”  of  Mood  et  al.  (MGBF14],  although  it  was  used  for  a  different  purpose  in 
that  work  and,  as  described,  required  two  labels  per  connection,  whereas  we  only  need  a  single  label  per 
connection.  Additionally,  a  long  line  of  work  ['NOQ9(  iF.TN+l.Sl  IF  .TNT  15]  building  on  the  so  called  “LEGO” 
approach  to  maliciously  secure  garbled  circuits  uses  essentially  the  same  technique  to  solder  garbled  circuits 
out  of  pre-garbled  NAND  gates.  However,  none  of  these  three  papers  give  an  implementation  or  experimental 
evaluation  to  demonstrate  the  practical  benefit  of  this  technique  for  real  applications. 

CompGC  implementation.  We  develop  our  own  standalone  library  libgarblaH  for  garbling  circuits.  Our 
library  is  a  based  on  the  JustGarble  implementation  of  Bellare  et  al.  |BHKR13j.  but  makes  many  internal 
improvements  to  the  codebase.  None  of  these  improvements  constitute  theoretical  improvements  to  the 
underlying  algorithm,  but  rather  optimizations  of  the  code.  For  example,  we  revise  the  data  structure  by 
which  circuits  are  stored  in  order  to  speed  access  to  certain  data.  We  believe  this  is  a  valuable  contribution 
on  its  own,  and  is  relevant  even  when  not  using  our  component-based  precomputation  strategy.  Our  library 
improves  the  performance  of  garbling  and  evaluating  an  AES  circuit  by  10%  and  22%,  respectively,  as 
compared  to  JustGarble,  along  with  many  other  improvements,  including  support  for  half-gates  |ZRE15j  and 
privacy- free  garbled  circuits  IFNO 1 5|  alongside  a  consistent  API. 

1  https : //github . com/amaloz/libgarble 
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We  then  use  libgarble  as  a  building  block  to  create  a  complete  secure  computation  system,  CompGC^] 
This  tool  allows  parties  to  precompute  any  specified  library  of  components  during  the  offline  phase,  using 
libgarble  to  garble  each  component.  During  the  online  phase,  it  creates  a  series  of  instructions  for  the 
evaluator  that  allows  the  chaining  of  the  relevant  components,  and  it  handles  the  extra  computation  (outside 
of  garbling  and  evaluation)  that  is  required  to  distribute  the  input  wire  labels  and  decipher  the  output  wire 
labels. 

Experimental  results.  We  use  this  implementation  to  conduct  several  experiments.  We  consider  three  settings: 
(1)  computing  AES  using  a  single-round  AES  component  as  a  building  block;  (2)  using  this  single-round 
AES  component  to  allow  for  encryption  of  arbitrary  length  messages  using  CBC  mode;  and  (3)  computing 
Levenshtein  distance,  which  can  be  used  for  any  number  of  applications,  including  text  processing  and 
genetic  analysis.  Here,  again,  we  are  eliminating  the  need  to  know  the  input  length  before  computation.  We 
measure  total  online  time  required  to  perform  the  secure  computation  over  both  localhost  and  a  simulated 
realistic  network  configuration.  In  all  of  these  measurements,  we  see  substantial  efficiency  improvements 
due  to  precomputation.  For  example,  when  computing  Levenshtein  distance  between  two  60  symbol  strings, 
where  each  symbol  comes  from  an  8-bit  alphabet,  we  see  a  greater  than  order  of  magnitude  improvement 
(from  10.6  seconds  to  752  milliseconds)  when  using  our  approach  over  the  naive  approach  of  sending  the 
circuit  online.  SeelSection  61  for  more  details. 

All  of  our  work  is  done  in  the  semi-honest  model.  We  believe  there  are  many  use  cases  of  secure 
computation  for  which  semi-honest  security  is  sufficient.  For  example,  when  two  mutually  trusting  companies 
or  agencies  are  prevented  from  sharing  data  by  policy  or  legal  restrictions,  but  otherwise  trust  each  other 
to  behave  honestly.  We  also  view  semi-honest  security  as  a  natural  stepping  stone,  and  we  expect  these 
techniques  can,  with  additional  work,  be  extended  to  the  malicious  setting  as  well. 

1.2  Paper  Organization 

The  remainder  of  this  paper  is  organized  as  follows.  |Section ~2] summarizes  the  related  prior  work.  |Section~3| 
provides  background  information  on  garbled  circuits  and  secure  two-party  computation,  introducing  the 
necessary  notation  that  we  use  in  the  remainder  of  the  paper.  |Section  ~4|  describes  our  component-based 
garbled  circuit  technique.  |Section  5|  provides  the  details  on  our  prototype  implementation  of  the  described 
primitives  and|Section  6|  gives  the  experimental  results  evaluating  the  performance  of  our  schemes  for  several 
common  classes  of  functions.  We  conclude  inISection  71 


2  Related  Work 


Garbled  circuits  were  first  introduced  by  Yao  in  the  1980s  |Yao86|  as  a  tool  for  general  secure  two-party 
computation.  While  they  were  originally  viewed  mainly  as  a  theoretical  tool,  this  view  has  changed  sig¬ 
nificantly  over  the  past  decade  or  so.  Starting  with  the  Fairplay  system  of  Malkhi  et  al.  |MNPS04j . 
garbled  circuits  have  been  built  into  prototypes  of  secure  computation.  This  has  led  to  a  long  line  of 
work  (e.g.  [BHKR1 31  iHKS+IOl  IHEKM11I  IKsS12l  0051  IMa.11  II IMGHF14I IPSSW09I ISHS+15]!  that  aims 
to  improve  the  efficiency  of  garbled  circuits  and  to  build  usable  and  practical  systems  for  various  real- 
world  applications.  Out  of  this  work,  the  most  efficient  known  implementations  (not  using  specialized 
massively-parallel  hardware  |KsS12)l  of  general  garbled  circuit-based  computation  are  Tiny  Garble  |SHS+15] 
for  security  against  semi-honest  adversaries,  which  is  based  on  the  efficient  garbling  procedure  introduced 
by  JustGarble  |BHKR13].  and  the  “Blazing  Fast  2PC”  system  |LR15|  for  malicious  adversaries  (in  the  of¬ 
fline/online  model). 

One  method  for  increasing  the  efficiency  of  garbled  circuit-based  secure  computation  is  to  work  in  the 
offline/online  model  and  use  preprocessing  to  reduce  the  online  running  time.  A  substantial  line  of  work  has 
focused  on  reducing  the  cost  of  the  cut-and-choose  technique  |1LP07|  for  malicious  security  using  preprocess- 
HKK+14,  ILR141 ILR15].  However,  all  of  these  works  require  that  the  function  to  compute  be  defined 
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during  the  pre-processing  phase.  Our  goal  is  to  allow  the  benefits  of  pre-processing  even  when  one  knows 
little  about  the  function  that  might  be  computed. 

In  attempting  to  increase  the  online  efficiency  of  secure  computation,  we  are  guided  by  many  prior  works 
that  identified  as  a  major  bottleneck  the  time  and  bandwidth  necessary  to  transmit  the  garbled  circuit  to  the 
evaluator.  Several  works  |KMR14l  IKS08I INPS99I IPSSW09I IZRE15]  aim  to  reduce  the  size  of  the  circuit  that 
must  be  communicated  between  the  generator  and  evaluator.  We  see  this  paper  as  continuing  this  effort, 
aiming  to  reduce  the  amount  of  communication  necessary  in  the  online  phase  of  garbled  circuit  evaluation. 
While  we  do  not  further  reduce  the  overall  size  of  the  garbled  circuit  to  be  transmitted,  we  significantly 
reduce  the  amount  of  communication  necessary  in  the  online  phase,  after  the  function  to  compute  and  the 
inputs  are  chosen. 

As  communication  is  the  main  bottleneck,  Gueron  et  al.  |GLNP15]  argue  that  the  speed  improvements 
made  by  JustGarble  disappear  due  to  the  need  to  transmit  the  circuit.  Because  we  send  the  circuit  components 
in  the  offline  phase,  communication  is  no  longer  the  bottleneck  and  we  can  thus  reap  all  the  performance 
benefits  of  using  a  JustGarble-based  garbling  library. 

The  idea  of  breaking  circuits  into  smaller  pieces  appeared  previously  in  the  work  of  Mood  et  al.  [MGBF14] , 
where  it  was  called  “partial  garbled  circuits”.  Rather  than  use  it  to  reduce  online  computation  and  commu¬ 
nication  time  as  we  do  here,  Mood  et  al.  used  it  as  a  way  to  reuse  values  in  internal  gates  of  a  garbled  circuit 
across  multiple  computations.  Their  technique  also  requires  sending  two  correction  labels  per  wire,  whereas 
we  can  do  it  with  just  one.  Additionally,  several  prior  works  using  the  “LEGO”  approach  to  building  garbled 
circuits  |NQ091  lFJN+13l  IFJNT15]  use  this  idea  to  assemble  circuits  out  of  pre-garbled  NAND  gates. 

3  Preliminaries 

In  this  section  we  briefly  introduce  the  notation  and  key  primitives  that  we  use,  as  well  as  some  background. 

3.1  Garbled  Circuits 

Garbled  circuits  are  the  main  tool  used  for  all  of  our  constructions.  Our  presentation  here  follows  {GLNP15, 
lLR14j  which  is  adapted  from  [BHR12],  and  we  refer  the  reader  to  those  works  for  a  more  detailed  presentation. 

Garbled  circuits,  proposed  originally  by  Yao  |Yao86|.  are  a  way  of  encoding  a  Boolean  circuit  that  allow 
for  secure  evaluation  of  the  function  computed  by  that  circuit.  This  encoding  has  the  property  that  given 
encodings  of  values  for  each  input  wire,  it  is  possible  to  evaluate  the  function  computed  by  this  circuit  (i.e., 
learn  the  values  of  the  output  wires)  without  learning  the  values  of  the  input  wires  or  any  of  the  internal 
circuit  wires.  This  enables  two-party  secure  computation  where  one  party  produces  the  garbled  circuit  and 
the  input  labels,  and  the  other  party  evaluates  the  circuit  to  produce  the  output.  This  is  described  in  more 
detail  in  IScction  .I7TT1 

More  formally,  a  garbling  scheme  consists  of  two  algorithms  (Garble,  Eval).  On  input  a  security 
parameter  1K  and  a  circuit  C ,  Garble(1k,C)  returns  the  triple  ( GC,e,d )  where  GC  is  the  garbled  circuit, 
e  is  the  ordered  set  of  input  wire  labels  {(W®,  kFj1)}ieinputs(c),  and  d  is  the  ordered  set  of  output  labels 
iGOutputs(C)  • 

Given  a  garbled  circuit  GC  and  a  set  of  input  labels  A'  =  { W^lieinputsfC ),  Eval(GC,  A)  computes  the 
garbled  output  Z  such  that  using  the  set  d ,  it  is  possible  to  recover  the  actual  output  z  (i.e.,  by  finding  Z 
in  the  ordered  set  of  output  labels). 

Example.  The  most  straightforward  example  of  a  garbled  circuit  is  Yao’s  original  scheme.  Each  wire  Wi  has 
two  associated  labels,  Wf  and  Wf ,  corresponding  to  values  0  and  1  respectively.  For  each  gate  there  is  a 
table  like  | Table  1|  This  table  contains  encryptions  of  the  labels  for  the  gate’s  output  wire,  using  the  labels 
of  the  input  wires  as  keys.  The  encryptions  are  chosen  so  that  the  evaluator,  knowing  the  labels  of  the  two 
input  wires,  can  decrypt  the  proper  label  of  the  output  wire  (and  nothing  else).  Repeated  evaluation  of  gates 
then  propagates  knowledge  of  the  correct  wire  labels  (for  whatever  initial  input  labels  were  given)  through 
the  entire  circuit. 
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Wo  label  wi  label  wout  label  garbled  table  entry 


w° 

w? 

W°out 

Enc 

Wq 

wf 

W°ut 

Enc 

Wq 

w0 

W°ut 

Enc 

Wo1 

w± 

wLt 

Enc 

VK°(EncW°(^out)) 

w°  (Encwi  (Wout)) 
wi  (Enc^o  (Wout)) 
w*  (Encwi  (Wout)) 


Table  1:  Garbled  AND  Gate.  Only  the  values  in  the  last  column  are  sent  to  the  evaluator.  If  the  input  wires  have 
values  a  and  b ,  then  the  evaluator  knows  Wf  and  W%  and  can  therefore  decrypt  Wout  ■ 


Privacy.  In  order  to  be  useful  for  secure  two-party  computation,  it  is  necessary  that  garbled  circuits  satisfy 
the  following  privacy  notion.  The  values  seen  by  the  evaluator,  GC,  d,  and  X,  should  not  reveal  any  infor¬ 
mation  about  x  that  is  not  revealed  by  the  output  C(x).  Formally,  we  require  that  there  exist  a  polynomial 
time  simulator  S  that  on  input  (1  K,C,C(x))  outputs  a  simulated  garbled  circuit  that  is  indistinguishable 
from  (GC,  e,  d)  generated  by  Garble.  Since  S  knows  C(x)  but  not  x,  this  captures  the  fact  that  the  output 
of  Garble  does  not  reveal  anything  (else)  about  x. 

Free-XOR.  Our  constructions  make  use  of  one  critical  improvement  to  the  original  garbled  circuits  called 
free-XOR  [KS08j .  which  allows  for  XOR  gates  to  be  evaluated  “for  free”  without  requiring  any  garbled  tables 
to  be  included  in  the  garbled  circuit.  Specifically,  this  technique  works  by  choosing  a  global  random  value 
R  and  then  ensuring  that  the  labels  for  all  circuit  wires  have  a  difference  of  R.  That  is,  for  any  wire  wt, 
W-1  ©  W}  =  R.  This  enables  the  secure  evaluation  of  an  XOR  gate  by  simply  computing  the  XOR  of  the 
two  incoming  labels,  as  R  cancels  out  appropriately. 

3.2  Oblivious  Transfer 

Another  key  component  for  secure  two-party  computation  is  oblivious  transfer  (OT)  [EGL82I  IRabQ5j .  OT 
is  a  two-party  primitive  where  one  party  (the  sender)  has  as  input  two  re-bit  strings  (mo,  mi)  and  the  other 
party  (the  receiver)  has  a  bit  b.  OT  enables  the  receiver  to  receive  mb  from  the  sender,  while  preventing  the 
sender  from  learning  which  string  was  received  (the  value  of  b)  and  preventing  the  receiver  from  learning 
anything  about  In  this  paper  we  use  the  semi-honest  OT  construction  by  Naor  and  Pinkas  |NP00]. 

One  technique  for  optimizing  OT  that  we  make  critical  use  of  is  OT  preprocessing  |Bea95] .  OT  prepro¬ 
cessing  allows  splitting  any  OT  protocol  into  an  expensive  offline  phase  and  a  much  cheaper  online  phase. 
Specifically,  in  the  offline  phase,  before  the  inputs  are  known,  OT  is  performed  on  random  inputs  for  both 
the  sender  and  receiver.  This  requires  a  number  of  expensive  cryptographic  operations.  However,  in  the 
online  phase  the  pre-OT’d  values  are  used  to  perform  the  OT  on  the  parties’  actual  inputs  without  needing 
any  additional  expensive  operations. 

3.3  Secure  Two-party  Computation 

We  now  briefly  describe  how  garbled  circuits  and  oblivious  transfer  can  be  used  to  realize  secure  two-party 
computation.  That  is,  to  enable  two  parties  to  compute  a  joint  function  on  their  inputs  without  either  party 
learning  more  than  what  is  implied  by  its  input  and  output.  In  this  work  we  focus  on  two-party  computation 
that  is  secure  against  a  semi-honest  adversary  corrupting  either  of  the  two  parties.  That  is,  such  an  adversary 
follows  the  protocol  as  specified,  but  attempts  to  learn  extra  information  from  its  interactions.  For  a  formal 
treatment  of  the  security  of  two-party  computation  we  refer  readers  to  the  book  by  Golclreich  |Gol09j . 

In  garbled  circuit-based  two-party  computation  of  circuit  C ,  we  identify  the  two  parties  as  the  garbler 
who  has  input  x  and  the  evaluator  who  has  input  y.  The  garbler  first  runs  Garble((7)  to  produce  (GC,  e,  d). 
He  then  sends  GC  and  an  encrypted  form  of  d  to  the  evaluator  together  with  the  wire  labels  corresponding 
to  the  bits  of  the  garbler’s  input  x.  The  encrypted  form  D  of  d  corresponds  to  a  random  permutation  of 
{Encwo(0),  EncH/i(l)}je0utputs(C)- 
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Now,  for  each  bit  of  the  evaluator’s  input  y,  the  garbler  and  evaluator  run  an  OT  protocol  by  which 
the  evaluator  learns  the  appropriate  wire  label  (without  revealing  that  bit  of  y  to  the  garbler).  Now,  the 
evaluator  has  all  the  inputs  to  run  Eval (GC,X)  to  recover  the  output  wire  labels.  It  then  uses  these  wire 
labels  to  decrypt  the  entries  in  D  to  learn  the  appropriate  output.  If  output  by  both  parties  is  desired,  the 
evaluator  can  send  this  output  to  the  garbler. 

4  Component-Based  Garbled  Circuits 

As  our  first  contribution,  we  introduce  the  concept  of  component-based  garbled  circuits  to  allow  for  much 
of  the  work  involved  in  building  and  transmitting  a  garbled  circuit  to  be  done  in  an  offline  phase  before 
the  inputs  or  even  the  function  to  compute  are  known.  This  allows  us  to  significantly  improve  the  online 
performance  of  secure  two-party  computation  schemes  using  garbled  circuits.  Our  improvements  stem  from 
the  observation  that  a  common  way  to  build  circuits  (and  programs)  is  to  compose  them  out  of  common 
building  blocks  or  components.  For  example,  common  components  such  as  circuits  for  arithmetic  operations, 
cryptographic  functions,  and  text  processing  can  form  the  base  for  large  classes  of  general  computation. 

We  show  how  to  take  advantage  of  such  common  components  for  designing  efficient  garbled  circuits. 
Specifically,  our  approach  is  to  pre-garble  a  large  number  of  common  component  circuits  in  an  offline  phase. 
Note  that  we  do  not  need  to  know  the  computation  to  be  performed  (besides  the  generic  components  used 
to  create  said  computation)  or  the  inputs  during  this  offline  phase.  Then,  in  an  efficient  online  phase,  we 
show  how  to  link  these  components  to  form  the  actual  circuit  we  wish  to  compute.  We  only  need  to  send 
a  single  wire  label  for  each  of  the  input  wires  in  each  component.  Even  if  components  are  all  single  gates, 
this  is  corresponds  to  sending  only  one  label  per  wire,  which  is  half  the  size  of  the  best  known  garbled 
circuit  construction  |ZRE15|.  However,  components  will  rarely  be  a  single  gate.  We  believe  that  in  many 
applications  (including  those  used  in  our  experiments)  circuits  will  use  many  large  components,  and  all  wires 
internal  to  a  given  component  require  no  communication  at  all.  Since  the  time  to  communicate  the  garbled 
circuit  is  the  major  bottleneck,  this  leads  to  significant  savings  in  the  overall  garbled  circuit  computation; 
seelSection  61  for  details. 

More  technically,  a  component-based  garbling  scheme  is  a  triple  of  algorithms  (Garble,  Link,  Eval). 
Garble  and  Eval  are  variants  on  the  corresponding  methods  for  standard  garbled  circuits,  while  Link  is 
new. 

Garble.  The  Garble  procedure  is  unchanged,  but  now  is  given  a  component  c  as  input  (in  place  of  a 
complete  circuit  C).  Garble(c)  outputs  the  garbled  component  GCc,  input  wire  set  ec,  and  output  wire 
set  dc,  for  this  component. 

Link.  On  input  two  garbled  components  cq  =  (GGo,  eo,  do)  and  c\  =  (GGi,ei,di)  as  well  as  a  mapping  of 
output  wires  of  Cq  to  input  wires  of  C\ ,  Link  produces  the  link  labels  needed  to  convert  from  cq  output  wires 
to  ci  input  wires.  Specifically,  suppose  that  output  wire  Wi  of  Co  has  labels  and  input  wire  Wj 

of  Ci  has  labels  (kF°,Iwj).  Then,  to  link  these  two  wires,  Link  outputs  W,j  =  W°  ®  Wj.  Note  that  since 
we  use  the  free-XOR  optimization,  we  know  that  both  =  W '}  ©  R  and  W°j  =  W j  ©  R  for  some  random 

value  R.  Therefore,  we  have  that  Wf  ©  W°j  =  W)  ©  Wj,  so  a  single  label  W-r]  is  sufficient  to  connect  both 
the  zero  and  the  one  wire  labels.  This  allows  us  to  reduce  the  communication  necessary  to  one  label  per 
component  wire  (together  with  a  specification  of  which  wire  to  link  to  which  wire). 

Eval.  On  input  a  list  of  garbled  components  {cj}  and  linking  labels  {Wij},  Eval  computes  the  garbled 
outputs  {1^}  as  follows.  Starting  from  the  inputs,  Eval  proceeds  component  by  component,  evaluating  each 
component  to  get  the  component  output  wire  labels.  When  appropriate,  it  uses  these  component  output 
wire  labels  together  with  the  appropriate  link  labels  to  recover  the  input  labels  for  later  components.  Finally, 
once  all  the  components  are  evaluated,  Eval  recovers  the  garbled  outputs  {!)}  from  the  output  components 
and  uses  d  for  that  component  to  recover  the  (real)  output  y. 

For  details  on  the  exact  garbling  scheme  used  to  garble  the  components,  the  format  for  indicating  which 
wires  to  link,  and  several  further  optimization  improvements,  we  refer  the  reader  to  the  implementation 
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details  inIScction  51 

Privacy.  We  now  show  how  to  adapt  the  standard  privacy  definition  for  garbled  circuits  |1 11 1  H  I  2|  to  the 
component-based  setting.  Specifically,  for  a  set  of  components  {ci}iecomponents,  we  want  that  the  pre-garbled 
components  {GCi},  together  with  the  input  labels  inputs(C)j  and  the  output  map  dcout  as  well  as  all 

the  link  labels  {Wylije Components  do  not  reveal  any  information  about  x.  Formally,  as  in  the  case  of  garbled 
circuits,  we  require  that  there  exist  a  polynomial  time  simulator  S  that  on  input  (1  K,C,C(x)),  where  G(-)  is 
some  polynomial  size  circuit,  outputs  simulated  component  garbled  circuits  for  all  components  in  G,  input 
and  output  labels,  as  well  as  all  the  linking  labels  Wl3  for  linking  all  necessary  wires  that  are  indistinguishable 
from  ({GCji,  e|nput(c,)i  ^Output(C))  and  Wij  generated  by  the  real  Garble  and  Link  procedures.  Formally, 
security  is  captured  by  the  following  game: 

The  privacy  experiment  Expt^'^fA): 

1.  Invoke  adversary  A:  compute  (C,x)  <—  A(1K). 

2.  Choose  a  random  b  {0, 1}. 

3.  lib  =  0:  For  each  component  Cj  in  C,  compute  (GCi,  ei,df)  •<—  Garble(1k,  c).  Additionally, 

for  each  pair  of  components  (c*,  Cj)  that  need  to  be  linked,  compute  all  the  link  labels 
{W^}  •f-  LlNK(cj,  Cj).  Finally,  compute  input  labels  X  =  {Wff1}  and  output  map 

doutput(C)-  Then  output  challenge  r  =  {{GCi},  {Wij},X,  d0utput(c))- 

If  b=  1:  Compute  r  =  ({GG};,  {W}ij,X,  doutput(C))  «-  S(1K,  C,  C(x)). 

4.  Give  A  the  challenge  r  and  obtain  a  guess  b'  <-  A{t). 

5.  Output  1  if  and  only  if  b'  =  b. 


Definition  1.  A  component-based  garbled  circuit  scheme  achieves  privacy  if  for  every  probabilistic  polyno¬ 
mial  time  A  there  exists  a  probabilistic  polynomial  time  simulator  S  and  a  negligible  function  //(•)  such  that 
for  every  k  £  N: 


Pr 


Expt7»  =  1 
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4.1  Component-Based  Secure  Two-Party  Computation 


We  now  briefly  describe  how  to  use  component-based  garbled  circuits  for  secure  two-party  computation. 
In  an  offline  stage,  before  inputs  or  even  the  computation  to  be  performed  are  known,  the  garbler  runs 
Garble  on  a  number  of  components  to  pre-garble  these  components;  it  then  sends  {GCi}ie Components  and  an 
encrypted  form  D  of  doutput(C)  (as  specified  in  Section  3.3)  to  the  evaluator.  These  components  are  circuit 
building  blocks  that  comprise  the  eventual  computation;  however,  their  exact  linking  is  not  determined  at 
this  time.  In  parallel,  the  garbler  and  evaluator  preprocess  a  number  of  instances  of  OT.  Both  the  garbler 
and  the  evaluator  store  the  received  garbled  components  and  preprocessed  OTs. 

When  the  function  /  to  compute  and  the  inputs  (x,  y)  are  known,  the  garbler  assembles  the  circuit  C 
out  of  the  garbled  components  {ci}.  For  each  component  pair  that  needs  to  be  linked,  the  garbler  runs 
LlNK(cj,  Cj)  and  sends  the  link  labels  W,3  along  with  the  indices  of  the  wires  to  be  linked  to  the  evaluator. 
Additionally,  the  garbler  sends  the  input  labels  {Wf! }  for  the  garbler’s  inputs.  Finally,  the  garbler  and 
evaluator  complete  the  online  phase  of  the  OTs  to  retrieve  the  labels  {Wf  ‘ }  for  the  evaluator’s  input.  Given 
this  information,  the  evaluator  runs  Eval  to  compute  the  circuit. 


4.2  Analysis 

To  analyze  the  performance  of  component-based  2PC,  we  look  separately  at  the  online  and  offline  phases.  In 
the  offline  phase  the  garbling  and  transmission  of  garbled  components  is  similar  to  the  total  communication 
normally  done  to  garble  and  send  a  circuit.  However,  this  communication  can  be  done  offline  thus  not 
affecting  the  online  running  time.  The  online  phase,  on  the  other  hand,  only  sends  one  link  label  per  pair 
of  wires  connecting  any  components.  So,  in  total,  the  online  communication  necessary  is  just  one  label 
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for  each  component  input  wire  (along  with  information  on  which  input  wires  map  to  which  output  wires). 
We  note  that,  even  in  the  case  when  components  are  just  single  gates,  this  still  enables  us  to  achieve 
communication  of  one  label  per  gate  (and  XOR  gates  remain  free).  This  is  50%  savings  over  the  best  known 
construction  |ZRE15|  (again,  discounting  the  metadata  required  to  link  these  wires  together).  In  the  more 
realistic  case,  where  components  are  substantially  larger,  the  savings  can  be  much  greater. 

4.3  Security 

We  now  sketch  a  proof  of  security  for  our  offline/online  construction.  Roughly,  what  we  need  to  prove  is  that 
the  added  linking  labels  do  not  break  the  security  of  the  original  garbled  circuit  construction.  More  formally, 
we  need  to  show  a  simulator  that,  given  the  output  y ,  is  able  to  generate  simulated  garbled  components  and 
linking  labels  that  would  look  indistinguishable  from  the  true  garbled  circuit. 

We  must  consider  the  view  of  each  party,  where  the  “view”  includes  any  messages  received  during  the 
protocol.  (Values  computed  and  sent  by  a  party  themselves  cannot  give  them  additional  information.)  First 
we  note  that  the  view  of  the  garbler  in  this  construction  only  consists  of  its  side  of  the  OT  protocol  executions. 
This  is  the  same  as  its  view  in  the  standard  garbled  circuit  protocol,  so  no  additional  security  argument  is 
needed. 

Next  we  consider  security  against  a  semi-honest  evaluator.  Roughly,  we  can  use  a  slightly  modified  version 
of  the  standard  garbled  circuit  simulator.  This  simulator  produces  a  garbled  circuit  GC  for  the  overall  circuit 
C.  The  simulator  then  divides  this  circuit  into  components  matching  the  components  that  were  pre-garbled 
by  the  protocol.  These  garbled  components  are  then  modified  as  follows.  For  each  output  wire  Wi  of  each 
linked  component,  a  random  label  W,  is  chosen  and  is  XORed  with  the  output  wire  label.  The  result  is 
a  new  label  for  each  output  wire.  (The  tables  in  the  final  gate  before  each  output  wire  are  modified  to 
match  the  new  values.)  The  output  wires  still  have  truly  random  labels,  so  these  simulated  values  are  still 
indistinguishable  from  the  evaluator’s  true  view.  We  now  simply  note  that  the  random  values  Wi  for  each 
component  output  wire  serve  as  the  simulated  linking  value  that  would  connect  each  component’s  output 
to  the  relevant  input  wires  of  the  next  component.  They  have  the  same  mathematical  relationship  to  the 
wire  labels  as  the  true  linking  values  do.  Therefore  the  simulator  has  produced  a  complete  simulation  of  the 
evaluator’s  view,  and  security  is  achieved. 


5  Implementation 


We  have  implemented  all  the  theoretical  ideas  discussed  above  in  CompGC,  a  new  system  for  secure  compu¬ 
tation  with  preprocessing.  Here  we  describe  the  implementation  in  detail,  and  in  the  next  section  we  present 
performance  numbers  from  our  experimental  results. 

CompGC  uses  as  its  primary  building  block  the  libgarble  library,  which  is  based  on  the  JustGarble  imple¬ 
mentation  of  Bellare  et  al.  |BHKR13].  We  chose  to  use  libgarble  over  existing  approaches,  such  as  TinyGar- 
ble  [SHS+15],  due  to  its  efficiencj0  the  fact  that  it  can  be  compiled  as  a  shared  library,  and  that  it  has  a 
consistent  API.  The  libgarble  library  does  just  what  its  name  implies  —  it  creates  a  garbled  version  of  a 
specified  circuit  and  evaluates  that  circuit  given  inputs.  It  is  a  tool,  rather  than  a  complete  implementation 
of  secure  computation.  It  does  not  carry  out  the  oblivious  transfers  (OTs)  necessary  to  share  input,  or  the 
networked  interactions  necessary  to  send  the  garbled  circuit  (or  the  information  for  the  OT  protocols,  or  the 
output)  between  parties. 

The  libgarble  library  is  based  on  JustGarble,  but  several  improvements  have  been  made  to  the  code, 
including  cleaning  up  the  API,  improving  the  structures  for  storing  the  garbled  circuit,  etc.  With  these 
modifications,  we  can  now  evaluate  an  AES  circuit  in  around  17  cycles/gate,  a  computation  that  takes 
around  22  cycles/gate  on  the  same  hardware  with  the  original  JustGarble  implementation,  an  improvement 
of  around  22%.  Note  that,  while  implemented  in  libgarble,  we  do  not  use  the  half-gates  approach  of  Zahur 
et  al.  |ZRE15j.  which  reduces  the  size  of  each  garbled  gate  to  two  labels  at  the  cost  of  two  calls  to  the  hash 


3Using  libgarble  as  a  building  block,  securely  computing  AES  over  localhost  using  precomputed  OTs  takes  4.4ms  (cf.|Table  2\, 
whereas  TinyGarble  using  their  — disable-OT  flag  takes  13ms. 


function  H  during  evaluation.  We  instead  use  a  scheme  proposed  by  Bellare  et  al.  [BHKR13]  which  requires 
three  labels  be  transferred  but  only  one  call  to  H  during  evaluation.  As  we  are  only  concerned  with  the 
online  time,  the  benefits  of  a  smaller  circuit  are  outweighed  by  the  extra  cost  in  evaluation. 

We  then  use  libgarble  to  build  CompGC.  CompGC  has  both  an  offline  and  an  online  phase.  In  the  offline 
phase,  CompGC  is  given  a  library  of  components  and  computes  a  specified  number  of  each  component.  This 
library  could  be  small  and  special-built  for  a  certain  class  of  functions,  or  it  could  be  a  huge  library  of  many 
common  computational  steps,  meant  to  allow  faster  online  computation  of  most  realistic  functions. 

In  the  offline  phase,  the  garbler  side  of  CompGC  uses  libgarble  to  generate  and  garble  the  component 
circuits.  The  garbler  saves  the  garbled  component  circuits,  each  tagged  with  a  unique  ID,  and  input  and 
output  labels  to  disk.  The  garbler  side  also  sends  the  garbled  component  circuits  and  their  unique  IDs  to 
the  evaluator  side,  which  saves  the  received  data  to  disk.  The  offline  phase  finishes  by  performing  the  offline 
portion  of  OT  preprocessing  as  described  by  Beaver  [Bea95j . 

We  specify  the  function  that  the  garbler  and  evaluator  compute  in  the  online  phase  with  a  JSON  file.  The 
file  specifies  what  types  of  components  are  needed  for  the  computation,  and  how  the  components’  input  and 
output  wires  should  be  connected.  (Another  format  could  be  used  to  gain  a  small  efficiency  improvement, 
but  we  value  the  fact  that  the  JSON  file  is  human-readable.) 

The  garbler  receives  this  function  and  the  garbler’s  input  to  the  function  at  the  beginning  of  the  online 
phase.  It  then  generates  a  set  of  instructions  for  the  evaluator.  The  instructions  specify  particular  pre¬ 
shared  garbled  circuits  (by  ID,  rather  than  just  by  type).  The  instructions  also  specify  an  order  for  their 
evaluation  and  specify  how  to  feed  the  outputs  of  one  component  into  the  inputs  of  others.  (This  requires 
both  specifying  what  wires  connect  where  and  specifying  the  relevant  mask  for  each  pair  of  wires  that  are 
being  connected.)  Finally,  the  instructions  include  the  necessary  information  to  convert  the  output  wire 
labels  to  bits,  as  well  as  the  wire  labels  for  the  garbler’s  input.  The  garbler  sends  these  instructions  to  the 
evaluator. 

Next,  the  garbler  and  evaluator  perform  the  online  phase  of  preprocessed  oblivious  transfer,  resulting  in 
the  evaluator  having  input  labels  corresponding  to  its  input.  The  evaluator  now  has  all  of  the  information 
necessary  to  perform  the  computation.  It  evaluates  each  component  using  libgarble  (in  an  order  specified 
by  the  instructions) ,  and  computes  the  input  labels  for  each  component  from  either  input  labels  or  processing 
the  output  of  a  previous  component.  Finally,  the  evaluator  computes  the  final  output  (and  can  then  send  it 
back  to  the  garbler). 

6  Experimental  results 

We  compared  CompG(|^vith  the  traditional  setting  where  the  entire  circuit  is  transferred  online.  We  imple¬ 
mented  a  semi-honest  protocol  using  libgarble  in  which  the  parties  preprocess  OTs  in  an  offline  stage,  but 
the  circuit  garbling  and  transfer  is  done  online.  This  is  the  closest  setting  to  our  work,  as  we  assume  that 
the  parties  do  not  know  which  circuit  they  would  like  to  compute  until  the  online  stage. 

Experimental  setup.  All  experiments  were  run  on  an  Intel®  Core™  i5-4210H  CPU,  and  were  conducted  over 
two  network  settings.  The  first  involved  running  both  parties  on  the  default  localhost  configuration,  which 
on  our  machine  has  a  latency  of  0.012  ms  and  bandwidth  of  35.2  Gb/sec.  For  the  second  network  setting, 
we  used  the  built  in  Linux  emulator  netem  to  configure  localhost  to  have  a  latency  of  33  ms  (the  average 
latency  in  the  United  States  [latj  1  and  a  bandwidth  of  50  Mbits/sec  (more  than  the  average  bandwidth  of 
31  Mbits/sec  in  the  United  States  as  of  September  2014  [ban]!.  We  chose  to  use  a  simulated  network  due  to 
the  ease  of  controlling  the  latency  and  bandwidth  as  well  as  the  ease  of  reproducibility.  Our  implementation 
also  requires  reading  data  from  disk:  on  our  experimental  machine  we  measured  the  cached  reads  speed  as 
7.6  GB/sec  and  the  buffered  disk  reads  speed  as  96  MB/sec. 

We  ran  four  experiments:  AES,  CBC  mode,  and  Levenshtein  distance  using  both  30  and  60  symbols.  We 
discuss  each  experiment  in  turn. 

4 All  experiments  use  commit  6af 87990be49202f d2d957d8e36128e0ca294623. 
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D[i  -  HU  -  l]D[i  -  l][j]  D[i][j  -  1]  a[i]  0[j] 


Figure  1:  Levenshtein  core  circuit  (taken  from  Figure  5(c)  from  the  work  of  Huang  et  al.  IHEKMlT]'). 


Time  (simulated)  Comm. 


Naive 

CompGC 

Naive 

CompGC 

AES 

542.6  ±  0.7 

134.4  ±  0.1 

24 

0.656 

CBC  mode 

4800  ±  0.0 

321.5  ±  0.9 

235 

7.4 

Leven.  (30) 

2200  ±  0.0 

371.0  ±  0.9 

108 

10.0 

Leven.  (60) 

10600  ±  0.0 

1119.6  ±  2.1 

524 

44 

Table  2:  Experimental  results;  see 


Section  6 


for  the  experimental  setup.  Leven.  (XX)  denotes  Levenshtein  distance 


over  strings  containing  XX  symbols.  All  times  are  in  milliseconds  and  all  communication  is  in  megabits.  Naive  denotes 
our  implementation  of  standard  semi-honest  2PC  using  garbled  circuits  and  preprocessed  OTs  using  libgarble,  whereas 
CompGC  denotes  our  component-based  implementation.  Time  is  (online)  computation  time,  not  including  the  time 
to  preprocess  OTs,  but  including  the  time  to  load  data  from  disk.  All  timings  are  of  the  evaluator’s  running  time, 
and  are  the  average  of  100  runs,  with  the  value  after  the  ±  denoting  the  95%  confidence  interval.  The  communication 
reported  is  the  number  of  bits  received  by  the  evaluator. 


AES:  We  treat  each  round  of  AES  as  a  separate  component.  Thus,  computing  AES  involves  linking  together 
10  components  (for  each  of  the  10  rounds  of  AES  when  considering  128-bit  inputs). 

CBC  mode:  This  algorithm  provides  a  way  of  encrypting  variable  length  messages  using  a  blockcipher  (in 
our  case,  AES)  as  an  underlying  building  block.  We  use  the  same  single- AES-round  components  as  the 
above  experiment,  along  with  an  XOR  component.  Our  experiment  involves  running  CBC  mode  over 
a  10  block  message,  and  thus  we  use  110  components  (100  for  the  AES  rounds  and  10  for  the  XOR 
components). 


Levenshtein  distance:  This  algorithm  provides  a  measure  of  distance  between  two  strings.  We  use  as  the 
core  component  the  Levenshtein  core  circuit  as  explained  by  Huang  et  al.  [HEKMlT] ;  see  also 
We  use  an  8-bit  alphabet  and  run  Levenshtein  distance  over  strings  containing  both  30  and  60  symbols, 
which  corresponds  to  900  and  3600  components,  respectively. 


Figure  1 


We  note  that  these  experiments  are  just  a  sample  of  what  can  be  done  using  our  tool.  While  the  components 
we  use  are  particular  to  our  experiments,  we  note  that,  for  example,  an  AES  circuit  could  be  used  in  other 
systems  besides  just  CBC  mode  (e.g.,  any  function  that  uses  a  blockcipher).  Likewise,  we  could  break  the 
Levenshtein  core  circuit  into  its  components  (such  as  2-MIN  and  AddOneBit;  see  Figure  ll  which  can  likely 
be  used  in  other  circuit  constructions. 


Experimental  results. 

| Table  2 1  presents  the  results  of  the  above  experiments  over  our  simulated  network.  We  compare  the 
running  times  of  both  standard  semi-honest  secure  two-party  computation  with  the  OTs  preprocessed,  which 
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we  denote  as  Naive,  and  our  component-based  garbled  circuit  protocol,  which  we  denote  as  CompGC.  We 
execute  100  runs  of  each  experiment,  reporting  the  average  and  the  95%  confidence  interval.  Looking  at  the 
running  times  on  the  simulated  network  we  see  drastic  improvements  of  upwards  of  an  order  of  magnitude  for 
CBC  mode  and  Levenshtein  using  60  symbols,  as  well  as  significant  improvements  for  the  other  two  cases.  We 
can  see  why  this  is  the  case  by  looking  at  the  total  communication  of  each  approach;  CompGC  demonstrates 
the  greatest  time  improvement  for  those  experiments  with  the  greatest  communication  improvement. 

As  the  main  use  of  CompGC  is  for  more  efficient  online  running  time,  we  did  not  optimize  the  offline  time 
(we  do  not  use  OT  extension  and  do  not  use  a  highly  optimized  OT  implementation).  However,  we  note 
that  our  offline  phase  is  still  relatively  efficient:  around  30ms  for  AES  and  around  450ms  for  CBC  mode 
and  Levenshtein  with  60  symbols,  all  over  localhost]^  Thus,  we  are  not  achieving  efficient  online  secure 
computation  at  the  cost  of  an  expensive  offline  phase:  the  offline  phase  involves  only  preprocessing  OTs  and 
garbling  and  sending  garbled  circuits. 

From  these  experiments,  we  validate  the  belief  that  communication  is  the  bottleneck  for  semi-honest  se¬ 
cure  two-party  computation  based  on  garbled  circuits  on  realistic  networks,  and  demonstrate  that  component- 
based  garbling  provides  a  powerful  technique  for  reducing  this  bottleneck. 

7  Conclusion 

Our  new  technique,  component-based  garbled  circuits,  has  greatly  reduced  online  computation  time  for 
secure  two-party  computation.  For  functions  we  tested,  the  time  needed  for  computation  was  reduced  by 
almost  an  order  of  magnitude.  This  is  done  by  decreasing  the  amount  of  data  that  must  be  communicated 
during  the  online  phase.  While  in  principle  one  could  construct  functions  for  which  our  technique  is  unlikely 
to  produce  more  than  50%  savings  with  any  realistic  set  of  precomputed  components,  the  benefit  for  realistic 
functions  is  much,  much  greater. 

We  have  shown  this  in  several  cases  where  the  general  type  of  function  is  known  ahead  of  time,  but  the 
specifics  (e.g.,  input  length)  are  not.  However,  the  principle  itself  has  much  wider  application  than  this.  To 
make  full  use  of  our  technique,  libraries  of  circuits  must  be  designed.  These  could  be  application-specific 
libraries  for  certain  domains  of  computation,  or  there  could  be  large,  general-purpose  libraries  meant  to 
provide  useful  components  for  most  functions.  Designing  these  sorts  of  libraries  would  also  allow  careful 
optimization  of  circuit  size  for  each  component. 

We  work  only  in  the  two-party  and  semi-honest  settings,  but  multi-party  and  malicious  settings  could 
be  amenable  to  a  similar  technique.  We  leave  the  task  of  designing  specific  protocols  for  these  settings  as 
future  work. 
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